Managing networks with System Center Essentials 2007
System Center is Microsoft’s flagship system management platform. Put together using many different components, a full System Center install can be both expensive and unwieldy – requiring several servers to host the various applications. But out of that complexity comes simplicity, as System Center also means you only need one screen to manage a whole network’s worth of mail servers, virtual machines, and databases. It’s also the one place where you can manage all the updates that get pushed out to your client PCs (and all the applications they run). Powerful as it is, the standard edition is not at all suitable for the SME market. That’s where System Center Essentials comes in.
Designed for SME networks of up to 30 servers and 500 PCs (and an unlimited number of network devices), SCE brings much of the functionality you actually need into one package, mixing Windows Server Update Services (WSUS) with System Center Operations Manager.
It’s a powerful combination, as you can monitor the performance of customers’ servers and desktops (with full reporting, alerts and proactive fixes) as well as controlling application deployment, patching and Windows updates. Operations Manager Management Packs simplify managing specific hardware and services, so you can leave SCE looking after your clients’ systems, while you concentrate on more complex tasks.
System Center Essentials 2007 SP1 adds support for Windows Server 2008, though we’d still recommend avoiding deploying it on anything other than a 32-bit Windows Server 2003 (or 2003 R2) machine. That’s because it relies on SQL Server 2005, and the bundled SQL Server 2005 Express Advanced Edition doesn’t have 64-bit support. There are also issues with connecting to Report Server under Windows 2008, even if you’re using a remote SQL Server 2005 Express or a full SQL Server 2005 installation (either local or remote).
Whatever you install it on, you’ll need to meet the minimum spec for a server – Windows Server 2003 SP1 running on a machine with at least 2GB of RAM. You can run SCE in less memory, but it’s not recommended and performance will be poor.
You’ll also need to install on a server that’s already part of the Active Directory forest that you want to manage –so unless you’ve got a fast VPN to your client’s network, you’ll need to install SCE on site. The server needs to be running the World Wide Web service, so make sure you have the appropriate role installed. It also needs the .NET framework, as most of the console views are actually ASP.NET pages. You don’t need to install these manually though; click on the More button to get download links or instructions on how to solve related issues. One common problem is that ASP.NET 2.0 isn’t registered; to solve this you need to run a short script in the ASP.NET directory to complete the registration and the wizard makes this easier because you can cut and paste the commands from the More dialog.
Reporting Services Required
SCE needs a SQL Server database to run. The wizard will install the bundled SQL Server 2005 Express Advanced Edition with a full set of management tools as well as Reporting Services. This is a key component of SCE, handling delivering reports to your desktop, so you’ll need to make sure it’s installed if you’re planning on using an existing database (SQL Server or SQL Server Express). One thing to note: SQL Server 2008 isn’t supported.
Choose an existing local or remote database from the wizard, and then pick the location for the data files. If you’re not installing the bundled database, you’ll need to connect to a Report Server on the existing database. This needs to be configured before you make a connection, so check that it is working by using a browser to connect to the report index pages. If your Report Server is only serving SSL pages, make sure to use the IIS management tools to switch it so that it responds to http requests instead of https.
SCE requires administrator access to the machines in the Active Directory that’s being managed. It’s good practice to create a new administrative account with a complex password for SCE – this will allow you to use existing logging tools to make sure the service is operating correctly. You can use a local account on each machine, though we wouldn’t recommend this approach (because you’d have to set it up on every single machine you’re managing). The SCE administrator account will be used to control and operate the agents that SCE deploys to all managed computers, as well as collecting data.
Once the install completes, back up the encryption key that SCE uses to secure operations data. This is best held on a USB key or similar as an offsite backup. Once saved, you can use this key to restore access to data if the software needs to be reinstalled. You’ll also need to give the key a password.
SCE is now ready to start monitoring and managing a network. The bundled CALs let you work with up to 10 servers and 50 client PCs; enough for most small networks. It’s important to keep track of the licences you’ve used – you don’t want to install a new server at a client site and suddenly discover that it’s not going to be managed automatically. Extra CALs are available through the usual routes.
Choosing what to Measure
Run the Feature Configuration Wizard to complete the process of configuring your SCE install. You’ll first be asked to define any proxy servers used (important if your clients are using tools like ISA to connect branch offices to a central site). The next step entails defining Active Directory Group Policies for the machines being managed. SCE gives you the tools for managing software deployments and controlling which updates are rolled out so you know what you’re dealing with, and client machines need to be set up to use it in preference to Microsoft’s own update services.
Application errors on the PCs you’re monitoring will need to be collated. These are uploaded from client PCs to the SCE server, and delivered to a specific location; define a directory for these reports and a TCP port to be used for submissions. You’ll also need to define how and when daily reports are sent. It’s a good idea to send them when systems aren’t busy, and in time to make any fixes at the start of the working day – say 6 or 7am. Reports are sent to a predefined email address, via an SMTP connection. It’s also a good idea to make this address an alias or a distribution group, so that everyone who needs to see the report receives a copy.
The emailed reports are detailed summaries of the status of monitored machines. Error alerts are flagged, as is the update status of servers and desktops. If you’re using SCE to push software to machines, you’ll be able to see how many packages have been deployed. Another useful feature of the report is a quick overview of available hard drive capacity. It’s worth keeping an eye on drives with between 50 and 90% capacity used, and talking to your clients urgently about those with less than 10% of space left. Monitor figures over time to decide whether a client needs to upgrade hard drives soon or can wait until the next hardware refresh.
You can also automate the process of finding new machines on the network. SCE’s automated discovery tools scan for new domain attached machines; if someone at a client site brings in a new machine and sets it up without involving you, SCE will find it and deliver its agents without bothering you. You probably want to set a time in the middle of the working day to catch any desktops or laptops rather than the predefined 3am discovery schedule!
On the PC
Like most systems management tools, SCE needs agents running on the machines it’s controlling. These run as Windows services, collecting performance data, along with details of the hardware and software on the monitored machine. The resulting data is collated on the server and used to produce the management reports.
Your first task is to scan the network and deploy agents to the machines you plan to work with.
From the Administration screen of the SCE console choose the Configure computers and devices to manage option. This launches the Computer and Device Management Wizard which allows you to detect the domain machines and deploy agents. The automated discovery tools will scan the domain, using the network’s Active Directory to simplify the process of finding and managing machines. However not every machine on a network is part of a domain – especially network devices. SCE is able to work with systems using standard management tools like SNMP, and you can use the Advanced discovery tools to quickly index all the devices on a network, including routers and switches. Just specify the network addresses and the SNMP community string for your devices (as well as the SNMP version) and click Discover.
One of SCE’s most important functions is to control and deploy software. If you’re using it to replace Windows Software Update Services or as a replacement for Microsoft’s patch and update Web service, then it needs to be configured to download and host all the files you’re going to need. This can take a long time, and use a lot of bandwidth – so it’s best to run the Update Management Configuration Wizard at the end of the working day. Once you’ve configured any proxy information, click Synchronize to download the latest catalogue of product updates from Microsoft. You do have the option of only downloading OS updates, which can simplify things considerably, as the list of applications and servers that can be updates is quite long.
Choose the servers and operating systems you want to download updates for. If you’re only supporting a specific version of an OS or an application you can choose to only download the appropriate updates – keeping bandwidth use to a minimum. You can control the languages supported. The default is the default language of the management server, so only add languages that you know you need to support.
SCE classifies updates, and you can choose the types of update you want to install. The default selection is to only download critical, security and service pack updates. In practice you’re going to need to download a lot more than this – so you can use SCE to deliver definition updates for anti-spyware and security tools, as well as handling driver updates and regular application updates. To keep bandwidth usage down it’s best to start with the defaults and then add additional update types later. This will also minimise any issues resulting from pushing updates to previously unmanaged machines.
The Update View is an important piece of the update process. Use it to approve and decline updates once you’ve downloaded them. The Properties dialog describes the contents of the update, and provides links to appropriate Knowledge Base articles. A similar tool is used to prepare software packages for installation.
Updates can be synchronised manually, or on a schedule. It’s best to do the first update manually, as it’s going to be a hefty download. Once you’ve loaded Microsoft’s complete update history, future downloads will be smaller – so a simple daily update should be sufficient, even for an OS service pack.
One key SCE feature is the ability to divide managed machines into groups. Not every computer needs the same software mix, and not everyone needs to be updated at the same time. Consider creating different groups for different classes of user, and assigning machines appropriately.
Manage more with Management Packs
Once you’ve got your clients and servers ready to manage, and SCE handling updates for you, you can then start to install management packs. Introduced with Microsoft Operations Manager (MOM – now System Center Operations Manager), specific Management Packs bundle the collective knowledge of a product’s developers and support engineers into a set of rules that help you operate and maintain the hardware or software being managed. Microsoft provides management packs for most of its software (usually committing to release a new management pack within 90 days of software releases) as do third parties. Many management packs are free, though you may have to pay for some third-party packs. Companies like Dell and HP have management packs for their hardware, connecting System Center with specialist management and monitoring tools built into their servers.
Not every management pack works with System Center Essentials 2007, though most can be imported and used. Check the System Center Essential s blog (http://blogs.technet.com/systemcenteressentials/) for details of what works, and keep an eye on the forum. If a management pack doesn’t exist for applications and services you use regularly, you can write your own. SCE includes editing and authoring tools to help you build your own management features. You can use the built-in templates to get started quickly.
Out of the box you get monitoring tools for many of the services your clients are likely to use, though it’s worth checking the online Management Pack catalogue for updates. You can drill down into the performance of all your managed servers, and get key performance indicators that help you determine whether applications should be moved to alternative servers, or if you need to make configuration changes. The various health indicators are important tools, and you should make yourself as familiar with them as possible.
You can use the health monitors to quickly check on the state of a server or a desktop; just drill down into the indicators you want to explore. You can see common problems at an OS or a hardware level, as well as reports that show whether services or drivers are causing problems. Tools like this make SCE a key part of your problem solving toolkit. Once you know where a problem lies, you can investigate further using SCE’s tools – or your favourite analysis tools.
Not every service or application comes with a management pack – so you may need to use the Add Monitoring Wizard to create your own applications and services. You can work with OLE DB data sources, TCP ports, Windows services and Web applications. Web applications can be monitored by recording browser sessions that you can replay to assist in monitoring user interfaces as well as server performance. Distributed applications can also be monitored, by defining the various components of the application and how they’re connected.
System Center Essentials 2007 is a powerful tool, and while it’s not as cheap as some alternatives (unless you use the free single-server Intel edition), it builds on the rest of Microsoft’s management suite and delivers a package that saves you both time and money. That’s a win in anyone’s book, and if you’re working with a lot of medium-sized Windows-centric networks, then SCE should be at the top of your list of management solutions.
SCE and Intel
Management packs are the way you extend SCE beyond the built-in capabilities; there are a large number in Microsoft’s online library. Once downloaded and installed they add new management tools to SCE, along with proactive help that simplifies managing hardware and software.
There are management packs for HP and Dell hardware, but you can also download tools from Intel to help manage all Intel-based servers. Intel provides three different management packs: a server management pack, a modular server management pack, and an AMT management pack. Download them from: www.intel.com/support/motherboards/server/sysmgmt/index.htm
The AMT management pack is particularly useful, as it works with the VPro hardware in Intel-based business desktop and laptop PCs. Using this you can connect securely to PCs, even when they’re powered down, pushing updates and diagnosing hardware issues without needing an OS. VPro also means customer hardware can be tracked using an asset log.
Intel also offers its own package built around SCE. The Intel System Management solution comes in three versions, a free single-server edition, a low cost small network edition (for up to 5 servers and 15 client PCs), and the Standard Edition – based on the familiar SCE 2007. These are effectively a bundle of SCE with the Intel management packs, so what you’re getting is convenience (and you can add further management packs as with standard SCE SKUs) – and the free single-server edition is only available this way.
System Center Essentials isn’t really designed for remote management. Management servers need to be part of the Active Directory forest for the sites and servers being controlled. If you’re working with several clients, that means multiple installs for the management tools. While it’s possible to work with the reports that SCE emails you, sometimes it’s better to connect directly into the management servers – without using remote desktop to make the connection.
If you’ve got a VPN to your clients’ sites, why not install a SCE user interface in a virtual machine that’s joined to the appropriate domain. You can then connect to a running server to see reports and handle any outstanding issues. VMs can also be transferred to laptops for use on the client site without having to reconfigure installs for each and every visit.
You will need a fairly hefty laptop to carry around a compete SCE VM – and we’d recommend plenty of memory and either 64-bit Windows Vista or Server 2008 as the host OS. Running a 32-bit VM on a 64-bit OS may seem like overkill, but it means you’ll get access to all 4GB of memory, essential to give your VMs 2GB of overhead.
Microsoft’s System Center Essentials blog:
Choose Management Packs from this Microsoft-hosted catalogue:
A blog focusing on managing infrastructure with System Centre Essentials:
Details of Intel’s SCE 2007-based management solutions:
Microsoft’s partner site for SCE has business details as well as technical information: